Ransomware demands – to pay or not to pay? - Image by Gerd Altmann from Pixabay Ransomware attacks show no sign of abating.

According to a recent Menlo Security report, 2022 Impacts: Ransomware attacks and preparedness, one-third of organisations experience a ransomware attack at least once a week, with one in ten subjected to such threats more than once a day.

Against this backdrop, organisations can no longer assume that they won’t be targeted in the belief that they have nothing of value. Attacks are now a question of ‘when not if’. Businesses must ensure preparedness by creating an action plan that details what they should and shouldn’t do when responding to a ransomware event.

What is an action plan?

Those that do will be in a much better position to emerge stronger. Those that don’t will likely find themselves making critical decisions under pressure with tight time constraints – conditions that will induce mistakes, delays and worsened impacts.

So, what should such an action plan include?

  • First, it should outline communications protocols, detailing who to inform in the event of an attack. Stakeholders should be told on a need-to-know basis, giving just enough information to address key questions and concerns and offer assurances that any breach is under control. However, it’s also important to remember that organisations have legal obligations to disclose any breaches to the relevant authorities. For example, the European General Data Protection Regulation defines a window of 72 hours.
  • Second, entities should fully understand the technical aspects of their response strategy. What layers of defence do I have, and how effective are they? Do I have backups available? How can I establish the severity of the attack? These are just some of the questions that firms must answer to formulate an effective response.
  • Thirdly, all organisations should also look to develop mechanisms that allow them to make decisions at speed. This entails testing any proposed plan from end to end to see how long it takes to recover and ascertaining the potential financial impact on the business. That includes considering when it might be appropriate or logical to pay a ransom.

Should you pay the ransom?

The debate over whether to pay or not pay continues to be divisive.

Many argue that paying the ransom incentivises attackers. Indeed, it is strongly discouraged by government authorities as doing so encourages continued criminal activity. However, on the flip side, there is no law against it, and it can sometimes make sense for organisations to do so.

From faster recovery times to reduced reputational harm and even lower costs should ransomware demands be less than expected recovery fees. It remains an avenue that continues to be considered – and often actively explored.

According to Menlo’s findings, only a minority say that they would never pay a ransomware demand. Further, nearly two-thirds of respondents say they would pay a ransomware demand, while almost one in three admit they are worried about the risk of paying a ransomware demand and not getting their data back.

Such concerns are rational. Even if a company pays, there is no guarantee attackers will return their data or that a decryption key will work as expected.

Paying a ransom has several significant downsides. Not only will new threat actors be more likely to target you, but those attackers that were already paid may also demand from you again.

Indeed, once an attacker gains a foothold in your network, it is likely that they will maintain it to continually monitor your business, steal data and repeatedly encrypt data for more ransom.

The warning is simple: if you are impacted, even if you pay the ransom and regain access to your data and systems, you could easily be impacted again.

For this reason, any organisation considering paying a ransom must accept the risk that they might not retrieve some or all of their data. They also need to be in a position to conduct a complete security evaluation to detect all elements, scripts and backdoors that might remain on the network or endpoints.

Is cyber insurance the answer?

Beyond this, there are several other options available to organisations that should serve to limit the potential damages of a ransomware attack.

While a defined and tested ransomware response plan will put them in a better position, firms can further protect themselves from massive damages with insurance.

It is good that companies are investigating and investing in cyber insurance. Our survey revealed that 76% of firms have cyber insurance. However, organisations exploring this avenue must ensure they secure the correct coverage level.

Many companies are wildly underestimating the cost of recovery, with current insurance payouts unable to cover barely a third of the financial damages inflicted by the average ransomware attack in 2021.

The Menlo Security survey report reveals that the average perceived cost of an attack is $326,531, with insurance payouts extending to an average of $555,971. However, industry figures show the average total cost of recovery from a ransomware attack in 2021 was $1.4 million.

It is therefore likely that even those firms with insurance would find themselves becoming financially crippled in the face of a ransomware attack, unable to afford the difference between the full financial cost of an incident and their maximum coverage.

Embracing and achieving zero trust

In addition to insurance and response plans, it is important to put the right protection mechanisms in place to thwart any attempts from threat actors.

Of course, companies still need backups as well as detection and remediation solutions. Yet prevention tactics are an important way of stopping attacks in their tracks before they have an opportunity to reach the endpoint.

Such prevention tactics must be driven by the principles of zero trust.

Traditional security models operate on the outdated assumption that everything within an organisation’s network can be trusted. However, by provisioning this trust blindly, hackers that gain access to a network can move freely through internal systems, accessing and exfiltrating data without any meaningful resistance.

Zero trust addresses this. It recognises trust as a vulnerability and demands that all traffic is continually verified.

One of the easiest ways of achieving zero trust is through the adoption of isolation technology. A solution that ensures all active code from the internet is executed in isolated cloud containers, thereby removing the risk from web and email attack vectors.

Simply put, it doesn’t matter if there’s a known or unknown vulnerability on the endpoint because no content – be it malicious or not – can reach it.

For more information on how to implement a zero trust security model, visit https://www.menlosecurity.com

Menlo SecurityMenlo Security protects organisations from cyberattacks by eliminating the threat of malware from the web, documents, and email. Menlo Security’s isolation-powered cloud security platform scales to provide comprehensive protection across enterprises of any size, without requiring endpoint software or impacting the end user-experience. Menlo Security is trusted by major global businesses, including Fortune 500 companies and eight of the ten largest global financial services institutions, and is backed by Vista Equity Partners, Neuberger Berman, General Catalyst, American Express Ventures, Ericsson Ventures, HSBC, and JP Morgan Chase. Menlo Security is headquartered in Mountain View, California.


Please enter your comment!
Please enter your name here